Researchers from Kaspersky Lab ICS CERT discovered a wide range of severe security vulnerabilities that could turn a popular smart camera into a surveillance tool for someone else.

This specific model of camera is pimped as doubling as a baby monitor in addition to being used for “general security purposes” in homes and offices. Yet the 13 critical flaws could allow attackers to remotely take control of the cameras to do the following: access video and audio feeds, remotely “brick” the devices, use the cameras for mining cryptocurrencies, and use the cameras as an entry-point to launch attacks on local and external networks.

Samsung devices affected

The vulnerabilities were in HanWha Techwin’s SNH-V6410PN/PNW security cameras. While you may not have heard of Hanwha Techwin, you have definitely heard of Samsung. Kaspersky explained: “These problems exist not only in the camera being researched, but all manufacturers' smart cameras manufactured by Hanwha Techwin. The latter also makes firmware for Samsung cameras.”

To clarify, Kaspersky told me that before 2018, Hanwha was using Samsung as a brand name. The cameras were part of Samsung’s SmartCam line of products. Hanwha is now separate company.

The camera, which has night vision and a motion sensor, can capture video, supports two-way communication, and has a built-in speaker. It works with a cloud-based service and can be controlled via smartphones, tablets, or computers. Kaspersky Lab identified multiple vulnerabilities in the affected camera’s firmware and cloud implementation. In fact, the architecture of the cloud service was even vulnerable.

Regarding the dangerous vulnerability in the cloud service architecture, Kaspersky Lab’s researchers noted, “An intruder could gain access via the cloud to all cameras and control them. One of the main problems associated with the cloud architecture is that it is based on the XMPP protocol. Essentially, the entire Hanwha smart camera cloud is a Jabber server. It has so-called rooms, with cameras of one type in each room. An attacker could register an arbitrary account on the Jabber server and gain access to all rooms on that server.”

Roughly 2,000 of the cameras have publicly accessible IP addresses, but the real number of vulnerable devices placed behind routers and firewalls could be much higher; the flaws could exist in other Hanwha smart cameras using similar firmware and infrastructure.

Kaspersky Lab

Spoofing the DNS server address specified in the camera’s settings was described as one “interesting attack vector.” The attack is possible “because the update server is specified as a URL address in the camera’s configuration file. This type of attack can be implemented even if a camera doesn’t have a global IP address and is located within a NAT subnet.”

The researchers even discovered an undocumented capability that allows the camera to be manipulated via the web interface. They warned that distributing modified firmware to cameras with that undocumented functionality loophole preinstalled would grant privileged rights on those cameras.

“If an intruder gains privileged rights (root) on a camera, they gain access to the full Linux functionality,” they added. “This means the camera can be used as a foothold from which to attack devices located on local (within a NAT subnet) or global networks.”

Vladimir Dashchenko, head of vulnerabilities research group at Kaspersky Lab ICS CERT, said, “The problem with current IoT device security is that both customers and vendors mistakenly think that if you place the device inside your network, and separate it from the wider internet with the help of a router, you will solve most security problems — or at least significantly decrease the severity of existing issues. In many cases this is correct: before exploiting security issues in devices inside of a targeted network, one would need to gain access to the router.

"However, our research shows that this may not actually be the case at all: given that the cameras we investigated were only able to talk with the external world via a cloud service, which was totally vulnerable.”

Camera security flaws create numerous attack scenarios

There are numerous attack scenarios possible due to the 13 critical security flaws. A few examples include: “The attacker can remotely change the administrator’s password, execute arbitrary code on the camera, gain access to an entire cloud of cameras and take control of it, or build a botnet of vulnerable cameras. An attacker can gain access to an arbitrary SmartCam, as well as to any Hanwha smart cameras.”

If an attacker obtained the camera model, serial number and MAC address, he or she could clone a camera. After resetting the user’s password, the victim’s camera could be remotely disabled, and the video they see could be coming from the attacker’s cloned camera.

To receive notifications, users are supposed to enter their credentials from a variety of social media and online services, such as Twitter, Gmail, YouTube, etc. An attacker, however, could steal that personal information and use it to send phishing and spam messages.

Hanwha Techwin said some of the vulnerabilities have now be patched; others are expected to be fixed “soon.” The Samsung SmartCam site currently shows a server maintenance note for March 19, during which the web viewer for the camera model in Kaspersky’s research — V6410PN — will be unavailable. Samsung did not respond to a request for comment.

“A major problem is that IoT is now a booming market, and most of the companies try to implement very cool concepts that are not secured,” Dashchenko told CSO. “So, after the device or technology goes to market, it can be easily purchased by hundreds of thousands of people. And if it’s vulnerable — that’s a big problem. To solve this, IoT solutions should be secured by design. For example, they can be created based on the trusted environment.”